Samsung Patches Critical Vulnerabilities in Android Devices

Samsung has released a maintenance update for its major Android flagship Galaxy models to resolve 16 vulnerabilities in these devices.

The updates, available as part of the company’s monthly Security Maintenance Release (SMR) process, include all patches released by Google up to its January 2016Android Security Bulletin. The release also includes several Samsung Vulnerabilities and Exposures (SVE) items.

Samsung’s January 2016 SMR includes a patch for a remote code execution (RCE) vulnerability in Android Mediaserver (CVE-2015-6636) rated as Critical. During the media file and data processing of a specially crafted file, an attacker could exploit the flaw to cause memory corruption and remote code execution.The vulnerability appears to be similar in scope to the“Stagefright” vulnerabilitythat was disclosed in July 2015, which affected nearly one billion Android devices. Google’s initial patchdid not properly addressthe mediaserver service flaw.

Another Critical flaw addressed in the updates is CVE-2015-6617, a flaw in Skia that allows remote attackers to execute arbitrary code or cause a denial of service via a crafted media file. The vulnerability was resolved by Google in the December 2015 bulletin, and Samsung included it in its December SMR too.

This month, Samsung Android devices also received fixes for a series of Android flaws rated Medium risk, such as CVE-2015-6643, CVE-2015-5310, CVE-2015-6644, CVE-2015-6645, all of which were patched in Google’s December 2015 or January 2016 updates for the Nexus devices.

Of the 7 SVE items included in Samsung’s January 2016 SMR, three are rated Critical and could result in arbitrary code execution, memory corruption, or FRP/RL bypass. The first could be triggered when a malformed BMP image is scanned by a facial recognition library, the second is a flaw in ‘libQjpeg.so’ and can be triggered by a malformed JPEG file, while the third is a bug in download mode that can reset the FRP/RL partition by using ‘Odin’ protocol, according to the release notes.

Samsung also patched a vulnerability resulting from a combination of unprivileged local apps being able to access some providers and an SQL injection (SQLi) flaw, which allowed applications to access all messages from SecEmail. The update also resolves a memory corruption issue rated Medium, along with a Low rated bug that could cause crashes when malicious service commands were called.

Samsung didn’t provide information on all SVEs included in the package, but revealed that at least two of the bugs affect the Samsung Galaxy S6 smartphone. Users are advised to install the security updates as soon as possible, to ensure their devices are protected from any attempts to exploit the fixed vulnerabilities.

Samsung began delivering monthly updates to its Android users in October 2015, after announcing such plans in August. The move followed Google’s decision to resolve flaws in the mobile OS on a monthly basis, after the critical “Stagefright” vulnerability was found in July to affect nearly one billion devices.